Disposal Of Background Reports: New Rules Require Proper Disposal Of Consumer Information

A new federal rule requires businesses and individuals to take appropriate measures to dispose of sensitive information derived from consumer reports. Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule, a part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which calls for the proper disposal of information in consumer reports and records to protect against "unauthorized access to or use of the information."

The standard for the proper disposal of information derived from a consumer report is flexible, and allows the organizations and individuals covered by the Rule to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology. Although the Disposal Rule applies to consumer reports and the information derived from consumer reports, the FTC encourages those who dispose of any records containing a consumer's personal or financial information to take similar protective measures.

The Rule applies to people and both large and small organizations that use consumer reports, including: consumer reporting companies; lenders; insurers; employers; landlords; government agencies; mortgage brokers, car dealers; attorneys; private investigators; debt collectors; individuals who pull consumer reports on prospective home employees, such as nannies or contractors; and entities that maintain information in consumer reports as part of their role as a service provider to other organizations covered by the Rule.

The Disposal Rule applies to consumer reports or information derived from consumer reports. The Fair Credit Reporting Act defines the term consumer report to include information obtained from a consumer reporting company that is used - or expected to be used - in establishing a consumer's eligibility for credit, employment, or insurance, among other purposes. Examples of consumer reports include credit reports, credit scores, reports businesses or individuals receive with information relating to employment background, check writing history, insurance claims, residential or tenant history, or medical history.

The Rule requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to - or use of - information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to: burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed; destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed; or conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include: reviewing an independent audit of a disposal company's operations and/or its compliance with the Rule; obtaining information about the disposal company from several references; requiring that the disposal company be certified by a recognized trade association; or reviewing and evaluating the disposal company's information security policies or procedures.

Financial institutions that are subject to both the Disposal Rule and the Gramm-Leach-Bliley (GLB) Safeguards Rule, which requires institutions to take steps to protect sensitive customer information, should incorporate practices dealing with the proper disposal of consumer information into the information security program that the Safeguards Rule requires. Information is available at http://www.ftc.gov/privacy/privacyinitiatives/safeguards.html.

The FTC has issued a new publication, "New Rule Seeks to Protect Privacy by Requiring Proper Disposal of Sensitive Consumer Information," available at http://www.ftc.gov/bcp/conline/pubs/alerts/disposalalrt.htm, to educate businesses about the new requirements.